What We Can Learn From The Adobe E-Reader Mess

Earlier this month we wrote about potential malicious behavior in Adobe's e-reader software, “Digital Editions.” There were several independent reports claiming that Adobe's software was sending back to Adobe—in the clear—a list of books read in the software. There were also independent reports that the program was sending back lists of books on an attached e-reader, even if those books had never been opened in ADE itself—in other words, collecting information not just about the book you are reading now, but your electronic library.

On the other hand, not everyone was able to replicate the all of this behavior, so we decided to run our own tests. We were able to confirm that Adobe Digital Editions 4.0.0 was sending back metadata, including the title and pages read, about books read in the software. Even more troubling, the software was sending back information about books loaded onto certain attached e-readers – contrary to Adobe's claim that it collected information solely “for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader.”

To perform these tests we ran Wireshark, an open source program that records network traffic, allowing researchers to analyze it. With Wireshark running we opened Adobe Digital Editions and performed some tasks such as adding books to the library, reading books, and deleting books. On each start of the software it would send back metadata about the previous session such as titles of books, pages read, time spent reading and more.

Data being sent to Adobe's servers. Including book title and pages read.

We were also able to reproduce the results of the experiment run by The Digital Reader. To perform these tests we again used Wireshark. We plugged a Sony Reader PRS-600 into a computer with ADE installed. When we started ADE with the reader plugged in, we observed ADE sending back data about what has been happening on the reader such as books added and deleted from the reader. Books which were never opened in Adobe Digital Editions.

We were also able to confirm that Adobe Digital Editions gets information from other e-readers that simply have Adobe software installed on them, such as the Sony Reader, Nook, and Boyue. Of course, there may be other readers that are also susceptible.

Last week, responding to criticism about these privacy violations, Adobe released a new version of their reader software. The changelog states that it has “Enhanced security for transmitting rights management and licensing validation information. With this latest version of Digital Editions 4.0.1, the data is sent to Adobe in a secure transmission (using HTTPS).”

We decided to run more tests to determine exactly what data—if any—Adobe was still collecting about reading habits. To perform these tests we used Fiddler. Fiddler is a local proxy that intercepts HTTPS traffic and allows you to decrypt it. It does this by performing a “man in the middle” attack, where it intercepts the traffic before it is encrypted, and encrypts it to a key that you control, allowing it to be decrypted.

With this test we were able to determine that Adobe is now encrypting the connections between ADE and Adobe servers. But more importantly, it appears that Adobe is no longer sending back metadata on what books you read. When we performed tests with the new version, the only time we saw data going back to an Adobe server was when an ebook with DRM was opened for the first time. This data is most likely being sent back for DRM verification purposes, and it is being sent over HTTPS. It even seems that Adobe has gone one step further and shut down plaintext HTTP access to their logging servers, so that even ADE 4.0 is no longer able to send back data about what books you are reading.

It appears the problem is solved, for now. So, what can we learn from this mess?

If you make a mistake that violates your user's privacy, you must immediately and completely fix the problem. We applaud Adobe for taking action to fix the privacy problems in their Digital Editions software.

Adobe has a lot more to do to restore reader trust. First, they developed and marketed a product that seriously compromised reader privacy. Second, when the flaw was exposed, they admitted one error (transmitting data in the clear) but continued to deny collecting information about reader libraries.

We can't trust vendors to protect our privacy for us. We expect Adobe didn't deliberately set out to undermine our privacy – but it happened anyway, and could have continued indefinitely if the Digital Reader hadn't done a little investigating. Which leads to the final lesson:

Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ADE is not exactly a lock, but it collects a host of information about the reader in order to, among other things, “facilitate the implementation of different licensing models by publishers.” In other words, to assist sellers, not readers. So let us suggest a corollary to Doctorow's law: Anytime someones collect information about you, without your knowledge and against your wishes, they're not doing it for your benefit.

Related Updates

Every now and then we have to remind someone that it's not illegal for people to report facts that they dislike. This time, the offender is electric scooter rental company Bird Rides, Inc. Electric scooters have swamped a number of cities across the US, many of the scooters carelessly discarded...

When is software free? Is it enough that the software be licensed under a free or open license? What about patents? Software as a service? Trade secrets? What about DRM? Is software ever free? There's a saying in the software freedom movement: "if you can't open it, it's not yours....

Correction 12/4/18: This post has been edited to correct the description of the new exemption, and to acknowledge the contributions of SPN, LCA, and Harvard. Online games have finally found their way into the video game preservation exemption to Section 1201 of the Digital Millennium Copyright Act (DMCA). This...

We’re pleased to announce that the Library of Congress and the Copyright Office have expanded the exemptions to Section 1201 of the DMCA, a dangerous law that inhibits speech, harms competition, and threatens digital security. But the exemptions are still too narrow and too complex for most technology...

Washington, D.C.—The Electronic Frontier Foundation won petitions submitted to the Library of Congress that will make it easier for people to legally remove or repair software in the Amazon Echo, in cars, and in personal digital devices, but the library refused to issue the kind of broad, simple and robust...

If you've ever bought an inkjet printer, you know just how much the manufacturers charge for ink (more than vintage Champagne!) and you may also know that you can avoid those sky-high prices by buying third-party inks, or refilled cartridges, or kits to refill your own cartridges. The major...

Computer science has long grappled with the problem of unknowable terrain: how do you route a packet from A to E when B, C, and D are nodes that keep coming up and going down as they get flooded by traffic from other sources? How do you shard a database...

Have you ever wanted to talk with the Electronic Frontier Foundation about the risks of talking in public about security issues, especially in connected Internet of Things devices? Tomorrow, you'll get your chance. Information security has never been more important: now that everything from a car to a voting...

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as...